Aller au contenu

GenAI providers

Ce contenu n’est pas encore disponible dans votre langue.

Cortex can store and manage API credentials for GenAI providers. This lets agents and backend services access LLM capabilities through Cortex-managed keys instead of passing credentials in every request.


ProviderKey formatDefault modelFast modelQuality modelStatus
Google GeminiAIza...gemini-2.5-progemini-2.5-flashgemini-2.5-proProduction
OpenAIsk-...gpt-4ogpt-4o-minigpt-4oProduction
Anthropic Claudesk-ant-...claude-sonnet-4-6claude-haiku-4-5claude-opus-4-7Production

Each provider supports three model tiers: default (general purpose), fast (low latency, lower cost) and quality (highest capability). You can also configure additional custom model slots.


From the web UI, go to My Account > Providers.

  1. Select the provider you want to configure
  2. Paste your API key
  3. Choose models for the default, fast and quality tiers
  4. Click Save
  5. Optionally, click Test to verify the connection without consuming tokens

You can configure credentials for all three providers simultaneously. Each configuration is scoped to an owner (the authenticated user).

The REST API equivalent is PUT /api/account/providers/:provider with a JSON body containing apiKey and models.


GuaranteeMechanism
Keys encrypted at restAES-256-GCM with per-key unique IV
Encryption key requiredENCRYPTION_KEY env var (base64-encoded 32-byte key)
Tampering detectionGCM authentication tag — any bit flip produces a visible error
Keys never returned in cleartextThe API and UI only show a masked version (AIza••••••••Xy9z)
Keys never loggedThe decrypted key is used server-side only, never serialized to logs or responses
Connection test is non-destructiveTest pings the provider’s model listing endpoint, consuming zero tokens

Keys are stored in PostgreSQL (the provider_credentials table). The ciphertext, IV and authentication tag are stored separately. The encryption key itself is an environment variable managed by your deployment, not by Cortex.


  • Cortex does not proxy LLM requests. It stores credentials; the consuming application retrieves the decrypted key server-side and calls the provider directly.
  • Cortex does not impose a provider. Provider configuration is optional. You can run Cortex without any provider credentials configured — the catalogue, memory and governance features work independently.
  • Cortex does not track provider usage or costs. Cost management is your provider’s responsibility.